samedi 6 décembre 2014

An
Obfuscated Code is a code that has been modified and/or transformed in order to
make it harder (but not impossible) for humans to read and understand.
Unfortunately this technique has some disadvantages, it takes time to make an
obfuscated code especially if you have a long code, and some anti-virus
softwares could alert some obfuscated code as some kind of a malware.

There are
so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk
about is Code Mutation. It’s a technique that aims to replace each
instruction by it's equivalent.

Assuming
you want to calculate a number (for example 5) and then put it in a register (EAX
for example). Mathematically there are many ways as you can see:

1+1+1+1+1=5

2+3=5

2*3-1=5

25/5=5

sqrt(25)=5

3!-1=5

This is the
same as in programming. Let's see how to do that. I'll only work
on the first one (1+1+1+1+1=5) given that this is not about how to calculate.

We can express (1+1+1+1+1=5) in many ways. The first
way would be to use INC instruction 5 times, meaning increase EAX
five times:

XOR EAX,
EAX

INC EAX

INC EAX

INC EAX

INC EAX

INC EAX

OR we can
use the instruction ADD EAX, 1 instead of INC EAX:

XOR EAX,
EAX

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

Another way
is to use INC EAX or ADD EAX,1 inside a loop and
count EAX until it reaches 5:

XOR EAX,
EAX

@@:

INC EAX

CMP EAX,
5

JNZ @B

@@:

ADD EAX,
1

CMP EAX,
5

JNZ @B

But that has nothing with what we want, what we want is to make it just a little bit
harder to understand. That's where the important part comes, we’ll be working on the following code sample:

XOR EAX,
EAX

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

Instead of
using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD
EAX, 1 we could use:

NOT EAX

NEG EAX

Which would
lead us to the following code:

MOV EAX,
0

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

MOV EAX,
0 could become:

LEA EAX,
0

NOT EAX:

NEG EAX

SUB EAX,
1

AND NEG
EAX:

NOT EAX

ADD EAX,
1

I guess you
know what does that mean! Yes that’s right, we replace each instruction with it’s
equivalent:

LEA EAX,
0

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

As you can see above, our code has grown a
little and has become a little bit harder to understand (not impossible). You can
also see that we’ve got the same instructions we’ve mutated before (ADD EAX,
1, NOT EAX, NEG EAX) plus a new one (SUB EAX, 1) that can also be
mutated to (NEG EAX and NOT EAX) which means that each
instruction has an infinite amount of mutations.

Hope this was a useful article. Now you can try out the rest of the expressions.

There are plenty of articles in the Internet about what we are going to see today, but not the way i'm going to show it to you ;) but first Why the need to encrypt your application's source code? Maybe from being Reversed?! Maybe you already know about it and maybe you don't, however let me give you a little idea about what Software Reverse Engineering is, it's simply opening a program inside a tool called debugger(such as OllyDebugger, SoftICE, Immunity Debugger...) to make it's features fully working after they've been restricted only for the ones who buy it, it could be also for competitive purposes, etc...

So let's assume you have made an application and you want to protect some sensitive areas in your code (license key verification routine for example) from being reversed?, then you'll have to use an extension (example: compressor, protector, cryptor, etc...) which uses an extra protected/crypted code that jumps in a secure way to the original code, but that will only delay RE, because everything is just Crackable :) it could also be used to confuse antivirus engines from identifying malicious behaviors. So today we are going to concentrate on the code encryption part only, because there are numerous methods of Anti-RE. and we just don't want to get wasted :)

As the title says what we are going to see today is called a "Self Decryption Code" so what is this? this means the software decrypts a part of itself at runtime, which requires a decrypter stub inside the software and an encrypted code. There are many encryption methods such as XOR, RC4, Blowfish, Tea, etc..., some are static(with a static decryption key) and some are Dynamic (changes everytime) and there are many other methods..

But today we are going to see the Static Decryption method which is honestly easy to reverse. but that only depends on how you want it to be. And we want to protect that little part where the calculation and verification happens! let's see how to do that.We will try to encrypt the following code by using the XOR encryption with a key.

as you might already know every instruction starts with a number that is called an OpCode that determines the nature of that instruction, example: in the x86 family 0x6A correspond to the PUSH instruction, and so on :) so what we are going to do is to encrypt each opcode with the key we've chosen:

in the above code we get a typed integer and had put it in edx and then jump to the decryption algorithm where those 15 NOP's (because we had encrypted 15 bytes) are going to be replaced by, and if everything goes well you will either get a Wrong or Correct message.

As a conclusion, i must say that the example given above is the most easiest thing a reverser could encounter, but there are many ways of making your decryption code much more harder and complicated, but remember that nothing is impossible especially in this domain ;) and hopefully i cover more of this in my future posts.

Hope this was a useful article. Now i will let you with your imagination.

samedi 17 mai 2014

Hello World! It's been a while since my last post, real life sucks :/ After saying that, I've made another Hasher, just a small one for my learning!! anyway I'll stop the talking and share it with you all:

Not something big, but hope this gives you an idea of python and it's hashlib :)

vendredi 6 septembre 2013

Recently i have made this handy utility to make it easy for me and also for you to protect your important files using a private key.

It's very easy to use because all you need to do is load the target file and type in the private key used by Cipher0z but you will have to remember that private key because it is the only way to get back your encrypted data.